script security question

jdavila28

im making a chat room. of course it's setup so that on each run it checks session id's etc to make sure it's valid. but rather than store all my command files in the main script, to cut out unecessary opcode compiling (even though im using xcache) i'm curious if this is safe enough.

so at one point in the execuction, it checks to see if a /command has been executed. if so, it requires $command.php from a secure directory that requires authentication to access. but also, i put this line in the top of each of my php files that are in their own seperate command files. assuming that i start the database connection in the MAIN script after session ID's have been confirmed and validated, if i put the following line (and it seems to work so far? im just not super hacker smart yet) at the top of each of the individual command files, the only way they should be able to get past this is if they know my database information and can create a fake database connection from remotely right? here is the code i have put at the top of each command file

if (!$link){
header("location:login.php");
exit;
}

$link of course, is the variable in the main script containing the mysql_connect(localhost, username, password)

if $link is not valid, it redirects them to the login page.

is this safe enough. or should i be securing these individual php files in a different, better way?

Weedpacket

Having all of the commands listed in one script is at least as secure. Your description is a bit haphazard (read your first paragraph again and ask yourself if it actually makes sense), but one thing's for sure: it sounds quite a bit more complicated, which means there's more potential for bugs and therefore security flaws.

jdavila28

here. ill see if i can explain it a bit better in simple terms. this is just a simple example and doesnt actually contain my script.

MAIN SCRIPT BEGIN CHAT.PHP

$link = connect to mysql, blah blah blah.
check_if_session_is_still_valid{
if it is continue,
if not, display error page.
}

do some more stuff
do some more stuff

require command.php
exit;
########## END OF MAIN SCRIPT ########

BEGIN COMMAND.PHP FILE - OUTSIDE OF MAIN SCRIPT

<?
if (!$link){
header("location:login.php");
exit;
}

// otherwise, if $link is valid
continue on to the rest of command.php and execute the command.

END OF COMMAND.PHP FILE

jdavila28

second question.

since i have about 50 command files and all together they would add an additional 200-300 KB of data to my main chat script which is only 14KB in size due to the fact that i have all the commands outside of the script. would adding them to the script make a difference in speed on my script?

I'm using XCACHE which is an opcode cacher which increases php speeds by like 400-500% and reduces server load by a huge amount. but the main reason i made this require command.php system if /command was recognized, was to cut the size of the script down to neccessity only.

jdavila28

also the folder containing my "command.php" files is located in the root directory of my server, not in the public html area.